Got it:
"A TLS server key and self-signed cert for 127.0.0.1 are also required;
see listen on in the RELAYS section for more details about certificate
locations."
eg:
openssl req -x509 -days 365 -newkey rsa:2048 \
-keyout /etc/ssl/private/127.0.0.1.key -out /etc/ssl/127.0.0.1.crt
On Tue, Apr 28, 2020 at 2:36 PM Pascal Guitierrez <
[email protected]> wrote:
> Hi misc@
>
> I am using the example for the TLS inspection from the relayd.conf(5) man
> page:
>
> # openssl req -x509 -days 365 -newkey rsa:2048 \
> -keyout /etc/ssl/private/ca.key -out /etc/ssl/ca.crt
>
> I set the PEM password to "password123"
>
> then have the following relayd.conf:
> http protocol httpfilter {
> return error
>
> pass
> match label "Prohibited!"
> block url "social.network.example.com/"
>
> # New configuration directives for SSL/TLS Interception
> tls ca key "/etc/ssl/private/ca.key" password
> "password123"
> tls ca cert "/etc/ssl/ca.crt"
> }
>
> relay tlsinspect {
> listen on 127.0.0.1 port 8443 tls
> protocol httpfilter
> forward with tls to destination
> }
>
> and i get when running: relayd -n
> /etc/relayd.conf:17: cannot load certificates for relay tlsinspect
>
> tested on 6.6 and -current from a few days prior, both amd64
>
> am i missing a step here?
>
> thankyou!
>
